Data theft is a defined subset of identity theft—in particular, the large-scale theft of customer records from businesses and other organizations. These stolen records are then used to perpetrate identity fraud upon the unsuspecting customers whose data was stolen.
We touched upon data theft in previous chapters because stolen corporate data contributes to a significant portion of today’s identity theft problem. What makes it different from simple identity theft is the magnitude; when a corporate database goes missing, it can affect hundreds of thousands, if not millions, of individuals.
What Is Data Theft?
Data theft is, quite simply, the unauthorized copying or removal of confidential information from a business or other large enterprise. It can take the form of ID-related theft (the theft of customer records) or the theft of a company’s proprietary information or intellectual property.
ID Data Theft
ID-related data theft occurs when customer records are stolen or illegally copied. The information stolen typically includes customers’ names, addresses, phone numbers, usernames, passwords and PINs, account and credit card numbers, and, in some instances, Social Security numbers. When transmitted or sold to lower-level criminals, this information can be used to commit all manner of identity fraud.
A single data theft can affect large numbers of individual victims. There are many examples to cite.
Let’s start across the Atlantic, in England. In January, 2008, two laptop PCs were stolen from Brent’s Central Middlesex Hospital. Each laptop contained hundreds of confidential patient records. Not a large theft (389 records in all), but one particularly disconcerting to the patients whose personal data were compromised.
Then there was the case of the Wilkes-Barre driver’s license center in Hanover, PA, which was broken into in late November, 2006. In addition to assorted office supplies and materials, the thief got away with a computer containing driver’s license information for more than 11,000 citizens.
Not even those companies charged with keeping our data safe are immune from data theft. For example, ChoicePoint, Inc., is a company that collects personal and financial information on millions of computers. In February, 2005, ChoicePoint reported that it had suffered a security breach and inadvertently sold personal information on 145,000 people to a criminal enterprise. Oops!
A much larger theft occurred in October, 2007, when the financial institution GE Money discovered that a computer tape containing information on 650,000 J.C. Penney customers had gone missing. Although not yet officially confirmed as a theft (it was just “missing”), the tape in question included more than 150,000 Social Security numbers.
Retailers store a lot of valuable data about their customers, which makes them a prime target of data thieves. Thus the story of shoe retailer DSW, which in June, 2005, had 1.4 million customer records stolen. Among those customers affected was then-FTC chairwoman Deborah Platt Majoras—a nice little irony for those that care.
Of course, data theft isn’t limited to the retail sector. Witness the U.S. Department of Veterans Affairs, which had the home of one of its employees burglarized in May of 2006. Stolen in the burglary was a laptop computer and external disk drive that contained the Social Security numbers of about 26.5 million veterans. That was a big breach—but the story has a happy ending. Thanks to some excellent police work, the hard drive was eventually recovered; it was later determined that the sensitive data had not been accessed.
An even bigger breach was the June, 2005, “security incident” reported by Atlanta-based payment processor CardSystems Solutions. The company handles payments for all the major credit cards, including MasterCard, Visa, American Express, and Discover. Intruders used malicious software code to breach the company’s systems, exposing more than 40 million credit card accounts to potential fraud. Fortunately, only about 200,000 of these accounts were found to be actually stolen, but the FBI was still called in to investigate.
But all these incidents pale compared to the largest reported case of data theft on record. In December, 2006, the TJX Companies (parent to T.J. Maxx, Marshalls, and other retailers) reported a massive computer breach on that part of its network that handles credit card, debit card, check, and merchandise transactions. It appears that hackers made off with more than 94 million records from customers in the U.S. and abroad.
Take a look at that last case again. A single data theft compromised the identities of an estimated 94 million individuals. That’s just an incredible number—and indicative of the impact of this type of computer crime.
Non-ID Data Theft
Customers’ records aren’t the only kind of data that can be stolen from a large organization. Companies of all sorts are hosts to various types of confidential information; this information, if accessed by a competitor, could often lead to a diminishment of the company’s position in the marketplace.
Non-ID data theft occurs when an employee makes one or more copies of a company’s confidential information, and then uses that information either for his own personal use or transmits that information to a competitor for the competitor’s use. However it’s done, this is a theft of the business’ intellectual property, every bit as harmful as a theft of money or equipment.
What kind of information are we talking about? A company’s confidential information includes its employee records, contracts with other firms, financial reports, marketing plans, new product specifications, and so on. Imagine you’re a competitor who gets hold of a company’s plans for an upcoming product launch; with knowledge beforehand, you can create your own counter-launch to blunt the impact of the other company’s new product. A little inside information can be extremely valuable—and damaging for the company from which it was stolen.